Hallo Zusammen,

ich habe ein Setup-Script geschrieben um Raspberry Pi Images auf eine SD-Karte zu übertragen und zu konfigurieren.

Ab der Zeile 418 in dem Script findet sich nachfolgender Code welcher dafür verantwortlich ist ein image mit LUKS, Dropbear und Arch zu generieren und konfigurieren.
if [ "$encrypt_system" == "y" ]
  then
    # @see https://gist.github.com/gea0/4fc2be0cb7a74d0e7cc4322aed710d38
    rescue_suffix=".$(date +%s).rescue"
    search_hooks="HOOKS=(base udev autodetect modconf block filesystems keyboard fsck)"
    replace_hooks="HOOKS=(base udev autodetect modconf block sleep netconf dropbear encryptssh filesystems keyboard fsck)"
    mkinitcpio_path="/etc/mkinitcpio.conf"
    mkinitcpio_rescue_path="$mkinitcpio_path$rescue_suffix"
    search_modules="MODULES=()"
    replace_modules="MODULES=(g_cdc usb_f_acm usb_f_ecm smsc95xx g_ether)"
    root_mapper_path="/dev/mapper/root"
    fstab_path="/mnt/etc/fstab"
    fstab_rescue_path="$fstab_path$rescue_suffix"
    crypttab_path="/mnt/etc/crypttab"
    crypttab_rescue_path="$crypttab_path$rescue_suffix"
    boot_txt_path="/boot/boot.txt"
    boot_txt_rescue_path="$boot_txt_path$rescue_suffix"
    boot_txt_delete_line=$(echo "part uuid \${devtype} \${devnum}:2 uuid" | sed -e 's/[]\/$*.^[]/\\&/g')
    boot_txt_setenv_origin=$(echo "setenv bootargs console=ttyS1,115200 console=tty0 root=PARTUUID=\${uuid} rw rootwait smsc95xx.macaddr=\"\${usbethaddr}\"" | sed -e 's/[]\/$*.^[]/\\&/g')
    boot_txt_setenv_replace=$(echo "setenv bootargs console=ttyS1,115200 console=tty0 ip=::::$target_hostname:eth0:dhcp cryptdevice=$encrypted_partition_path:root root=$root_mapper_path rw rootwait smsc95xx.macaddr=\"\${usbethaddr}\""| sed -e 's/[\/&]/\\&/g')
    info "Setup encryption..." &&
    question "Type in encryption password: " && read -r luks_password
    question "Repeat encryption password:" && read -r luks_password_repeat
    if [ "$luks_password" != "$luks_password_repeat" ]
      then
        error "Passwords didn't match."
    fi
    (
    echo "pacman --noconfirm -S --needed $(get_packages "server/luks") &&"
    echo "cp -v /home/$target_username/.ssh/authorized_keys /etc/dropbear/root_key &&"
    echo "cp -v $mkinitcpio_path $mkinitcpio_rescue_path &&"
    echo "sed -i 's/$search_modules/$replace_modules/g' $mkinitcpio_path &&"
    echo "sed -i 's/$search_hooks/$replace_hooks/g' $mkinitcpio_path &&"
    echo "echo \"Content of $mkinitcpio_path:\$(cat \"$mkinitcpio_path\")\" &&"
    #Concerning mkinitcpio warning @see https://gist.github.com/imrvelj/c65cd5ca7f5505a65e59204f5a3f7a6d
    echo "mkinitcpio -P &&"
    echo "echo '$luks_password' | sudo cryptsetup -v luksFormat -c aes-xts-plain64 -s 512 -h sha512 --use-random -i 1000 $encrypted_partition_path &&"
    echo "echo '$luks_password' | sudo cryptsetup -v luksOpen $encrypted_partition_path root &&"
    echo "mkfs.ext4 $root_mapper_path &&"
    echo "mount $root_mapper_path /mnt &&"
    echo "rsync --info=progress2 -axHAX / /mnt/ &&"
    echo "cp -v $fstab_path $fstab_rescue_path &&"
    echo "echo $root_mapper_path' /               ext4    defaults,noatime  0       1' >> $fstab_path &&"
    echo "echo \"Content of $fstab_path:\$(cat \"$fstab_path\")\" &&"
    echo "cp -v $crypttab_path $crypttab_rescue_path &&"
    echo "echo 'root '$encrypted_partition_path' none luks' >> $crypttab_path &&"
    echo "echo \"Content of $crypttab_path:\$(cat \"$crypttab_path\")\" &&"
    #boot.txt just works with raspberry pi 3 @todo Needs to be implemented for arch raspbery pi 4
    echo "cp -v $boot_txt_path $boot_txt_rescue_path &&"
    echo "sed -i 's/$boot_txt_delete_line//g' $boot_txt_path &&"
    echo "sed -i 's/$boot_txt_setenv_origin/$boot_txt_setenv_replace/g' $boot_txt_path &&"
    echo "echo \"Content of $boot_txt_path:\$(cat \"$boot_txt_path\")\" &&"
    echo "cd /boot/ && ./mkscr &&"
    echo "umount $root_mapper_path &&"
    echo "sudo cryptsetup -v luksClose root &&"
    echo "exit || echo 'Error in chroot environment!' echo 'Trying to close decrypted root.'; sudo cryptsetup -v luksClose root"
    ) | chroot "$root_mount_path" /bin/bash || error
fi
Der Code erzeugt folgende Ausgabe auf dem Terminal:
[INFO]: Setup encryption... 
[QUESTION]: Type in encryption password:  
test
[QUESTION]: Repeat encryption password: 
test
warning: rsync-3.2.3-1 is up to date -- skipping
warning: autoconf-2.69-7 is up to date -- skipping
warning: automake-1.16.2-3 is up to date -- skipping
warning: binutils-2.35-1 is up to date -- skipping
warning: bison-3.6.4-1 is up to date -- skipping
warning: fakeroot-1.24-2 is up to date -- skipping
warning: file-5.39-1 is up to date -- skipping
warning: findutils-4.7.0-2 is up to date -- skipping
warning: flex-2.6.4-3 is up to date -- skipping
warning: gawk-5.1.0-1 is up to date -- skipping
warning: gcc-10.2.0-1 is up to date -- skipping
warning: gettext-0.21-1 is up to date -- skipping
warning: grep-3.4-1 is up to date -- skipping
warning: groff-1.22.4-3 is up to date -- skipping
warning: gzip-1.10-3 is up to date -- skipping
warning: libtool-2.4.6+44+gb9b44533-14 is up to date -- skipping
warning: m4-1.4.18-3 is up to date -- skipping
warning: make-4.3-3 is up to date -- skipping
warning: pacman-5.2.2-1 is up to date -- skipping
warning: patch-2.7.6-8 is up to date -- skipping
warning: pkgconf-1.7.3-1 is up to date -- skipping
warning: sed-4.8-1 is up to date -- skipping
warning: sudo-1.9.3.p1-1 is up to date -- skipping
warning: texinfo-6.7-3 is up to date -- skipping
warning: which-2.21-5 is up to date -- skipping
warning: uboot-tools-2020.04-1 is up to date -- skipping
warning: dropbear-2020.80-1 is up to date -- skipping
warning: mkinitcpio-utils-0.0.3-5 is up to date -- skipping
warning: mkinitcpio-netconf-0.0.5-2 is up to date -- skipping
warning: mkinitcpio-dropbear-0.0.3-6 is up to date -- skipping
 there is nothing to do
'/home/alarm/.ssh/authorized_keys' -> '/etc/dropbear/root_key'
'/etc/mkinitcpio.conf' -> '/etc/mkinitcpio.conf.1601472644.rescue'
Content of /etc/mkinitcpio.conf:# vim:set ft=sh
# MODULES
# The following modules are loaded before any boot hooks are
# run.  Advanced users may wish to specify all system modules
# in this array.  For instance:
#     MODULES=(piix ide_disk reiserfs)
MODULES=(g_cdc usb_f_acm usb_f_ecm smsc95xx g_ether)

# BINARIES
# This setting includes any additional binaries a given user may
# wish into the CPIO image.  This is run last, so it may be used to
# override the actual binaries included by a given hook
# BINARIES are dependency parsed, so you may safely ignore libraries
BINARIES=()

# FILES
# This setting is similar to BINARIES above, however, files are added
# as-is and are not parsed in any way.  This is useful for config files.
FILES=()

# HOOKS
# This is the most important setting in this file.  The HOOKS control the
# modules and scripts added to the image, and what happens at boot time.
# Order is important, and it is recommended that you do not change the
# order in which HOOKS are added.  Run 'mkinitcpio -H <hook name>' for
# help on a given hook.
# 'base' is _required_ unless you know precisely what you are doing.
# 'udev' is _required_ in order to automatically load modules
# 'filesystems' is _required_ unless you specify your fs modules in MODULES
# Examples:
##   This setup specifies all modules in the MODULES setting above.
##   No raid, lvm2, or encrypted root is needed.
#    HOOKS=(base)
#
##   This setup will autodetect all modules for your system and should
##   work as a sane default
#    HOOKS=(base udev autodetect block filesystems)
#
##   This setup will generate a 'full' image which supports most systems.
##   No autodetection is done.
#    HOOKS=(base udev block filesystems)
#
##   This setup assembles a pata mdadm array with an encrypted root FS.
##   Note: See 'mkinitcpio -H mdadm' for more information on raid devices.
#    HOOKS=(base udev block mdadm encrypt filesystems)
#
##   This setup loads an lvm2 volume group on a usb device.
#    HOOKS=(base udev block lvm2 filesystems)
#
##   NOTE: If you have /usr on a separate partition, you MUST include the
#    usr, fsck and shutdown hooks.
HOOKS=(base udev autodetect modconf block sleep netconf dropbear encryptssh filesystems keyboard fsck)

# COMPRESSION
# Use this to compress the initramfs image. By default, gzip compression
# is used. Use 'cat' to create an uncompressed image.
#COMPRESSION="gzip"
#COMPRESSION="bzip2"
#COMPRESSION="lzma"
#COMPRESSION="xz"
#COMPRESSION="lzop"
#COMPRESSION="lz4"

# COMPRESSION_OPTIONS
# Additional options for the compressor
#COMPRESSION_OPTIONS=()
==> Building image from preset: /etc/mkinitcpio.d/linux-aarch64.preset: 'default'
  -> -k 5.8.9-2-ARCH -c /etc/mkinitcpio.conf -g /boot/initramfs-linux.img
==> Starting build: 5.8.9-2-ARCH
  -> Running build hook: [base]
  -> Running build hook: [udev]
  -> Running build hook: [autodetect]
  -> Running build hook: [modconf]
  -> Running build hook: [block]
  -> Running build hook: [sleep]
  -> Running build hook: [netconf]
  -> Running build hook: [dropbear]
Generating dss host key for dropbear ...
Unknown key type 'dss'
Usage: /usr/sbin/dropbearkey -t <type> -f <filename> [-s bits]
-t type	Type of key to generate. One of:
		rsa
		ecdsa
		ed25519
-f filename    Use filename for the secret key.
               ~/.ssh/id_dropbear is recommended for client keys.
-s bits	Key size in bits, should be a multiple of 8 (optional)
           ECDSA has sizes 256 384 521 
           Ed25519 has a fixed size of 256 bits
-y		Just print the publickey and fingerprint for the
		private key in <filename>.
dropbear_rsa_host_key : sha1!! a1:7b:17:e0:43:2e:2c:d2:8e:d3:17:21:15:fb:45:4a:7f:7e:96:57
dropbear_ecdsa_host_key : sha1!! 14:7e:96:5c:1d:8e:60:bd:fb:70:21:93:d5:c7:1e:71:85:49:02:ef
  -> Running build hook: [encryptssh]
  -> Running build hook: [filesystems]
  -> Running build hook: [keyboard]
  -> Running build hook: [fsck]
==> Generating module dependencies
==> Creating gzip-compressed initcpio image: /boot/initramfs-linux.img
bsdtar: Failed to set default locale
bsdtar: Failed to set default locale
==> Image generation successful
==> Building image from preset: /etc/mkinitcpio.d/linux-aarch64.preset: 'fallback'
  -> -k 5.8.9-2-ARCH -c /etc/mkinitcpio.conf -g /boot/initramfs-linux-fallback.img -S autodetect
==> Starting build: 5.8.9-2-ARCH
  -> Running build hook: [base]
  -> Running build hook: [udev]
  -> Running build hook: [modconf]
  -> Running build hook: [block]
==> WARNING: Possibly missing firmware for module: wd719x
  -> Running build hook: [sleep]
  -> Running build hook: [netconf]
==> WARNING: Possibly missing firmware for module: rsi_sdio
==> WARNING: Possibly missing firmware for module: rsi_usb
==> WARNING: Possibly missing firmware for module: atmel
==> WARNING: Possibly missing firmware for module: at76c50x_usb
==> WARNING: Possibly missing firmware for module: rtl8723ae
==> WARNING: Possibly missing firmware for module: zd1201
==> WARNING: Possibly missing firmware for module: zd1211rw
==> WARNING: Possibly missing firmware for module: prism54
==> WARNING: Possibly missing firmware for module: p54pci
==> WARNING: Possibly missing firmware for module: p54usb
==> WARNING: Possibly missing firmware for module: orinoco_usb
==> WARNING: Possibly missing firmware for module: wcn36xx
==> WARNING: Possibly missing firmware for module: b43legacy
==> WARNING: Possibly missing firmware for module: b43
==> WARNING: Possibly missing firmware for module: ipw2100
==> WARNING: Possibly missing firmware for module: ipw2200
==> WARNING: Possibly missing firmware for module: mt7603e
  -> Running build hook: [dropbear]
Generating dss host key for dropbear ...
Unknown key type 'dss'
Usage: /usr/sbin/dropbearkey -t <type> -f <filename> [-s bits]
-t type	Type of key to generate. One of:
		rsa
		ecdsa
		ed25519
-f filename    Use filename for the secret key.
               ~/.ssh/id_dropbear is recommended for client keys.
-s bits	Key size in bits, should be a multiple of 8 (optional)
           ECDSA has sizes 256 384 521 
           Ed25519 has a fixed size of 256 bits
-y		Just print the publickey and fingerprint for the
		private key in <filename>.
dropbear_rsa_host_key : sha1!! a1:7b:17:e0:43:2e:2c:d2:8e:d3:17:21:15:fb:45:4a:7f:7e:96:57
dropbear_ecdsa_host_key : sha1!! 14:7e:96:5c:1d:8e:60:bd:fb:70:21:93:d5:c7:1e:71:85:49:02:ef
  -> Running build hook: [encryptssh]
  -> Running build hook: [filesystems]
  -> Running build hook: [keyboard]
  -> Running build hook: [fsck]
==> Generating module dependencies
==> Creating gzip-compressed initcpio image: /boot/initramfs-linux-fallback.img
bsdtar: Failed to set default locale
bsdtar: Failed to set default locale
==> Image generation successful
Unknown host QEMU_IFLA type: 54
Unknown host QEMU_IFLA type: 54
WARNING: Device /dev/mmcblk1p3 already contains a 'crypto_LUKS' superblock signature.
Existing 'crypto_LUKS' superblock signature (offset: 0 bytes) on device /dev/mmcblk1p3 will be wiped.
Existing 'crypto_LUKS' superblock signature (offset: 16384 bytes) on device /dev/mmcblk1p3 will be wiped.
Key slot 0 created.
Command successful.
Unknown host QEMU_IFLA type: 54
Unknown host QEMU_IFLA type: 54
Key slot 0 unlocked.
Command successful.
mke2fs 1.45.6 (20-Mar-2020)
Creating filesystem with 14724352 4k blocks and 3686400 inodes
Filesystem UUID: da0071a7-ef0d-4051-9461-145add2be871
Superblock backups stored on blocks: 
	32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632, 2654208, 
	4096000, 7962624, 11239424

Allocating group tables: done                            
Writing inode tables: done                            
Creating journal (65536 blocks): done
Writing superblocks and filesystem accounting information: done   

  1,924,493,579  99%    5.42MB/s    0:05:38 (xfr#32483, to-chk=0/43361)    
'/mnt/etc/fstab' -> '/mnt/etc/fstab.1601472644.rescue'
Content of /mnt/etc/fstab:# Static information about the filesystems.
# See fstab(5) for details.

# <file system> <dir> <type> <options> <dump> <pass>
/dev/mmcblk0p1  /boot   vfat    defaults        0       0
/dev/mapper/root /               ext4    defaults,noatime  0       1
'/mnt/etc/crypttab' -> '/mnt/etc/crypttab.1601472644.rescue'
Content of /mnt/etc/crypttab:# Configuration for encrypted block devices.
# See crypttab(5) for details.

# NOTE: Do not list your root (/) partition here, it must be set up
#       beforehand by the initramfs (/etc/mkinitcpio.conf).

# <name>       <device>                                     <password>              <options>
# home         UUID=b8ad5c18-f445-495d-9095-c9ec4f9d2f37    /etc/mypassword1
# data1        /dev/sda3                                    /etc/mypassword2
# data2        /dev/sda5                                    /etc/cryptfs.key
# swap         /dev/sdx4                                    /dev/urandom            swap,cipher=aes-cbc-essiv:sha256,size=256
# vol          /dev/sdb7                                    none
root /dev/mmcblk1p3 none luks
'/boot/boot.txt' -> '/boot/boot.txt.1601472644.rescue'
Content of /boot/boot.txt:# After modifying, run ./mkscr

# Set root partition to the second partition of boot device


setenv bootargs console=ttyS1,115200 console=tty0 ip=::::home-server:eth0:dhcp cryptdevice=/dev/mmcblk1p3:root root=/dev/mapper/root rw rootwait smsc95xx.macaddr="${usbethaddr}"

if load ${devtype} ${devnum}:${bootpart} ${kernel_addr_r} /Image; then
  if load ${devtype} ${devnum}:${bootpart} ${fdt_addr_r} /dtbs/${fdtfile}; then
    if load ${devtype} ${devnum}:${bootpart} ${ramdisk_addr_r} /initramfs-linux.img; then
      booti ${kernel_addr_r} ${ramdisk_addr_r}:${filesize} ${fdt_addr_r};
    else
      booti ${kernel_addr_r} - ${fdt_addr_r};
    fi;
  fi;
fi
Image Name:   U-Boot boot script
Created:      Wed Sep 30 13:43:18 2020
Image Type:   ARM Linux Script (uncompressed)
Data Size:    668 Bytes = 0.65 KiB = 0.00 MiB
Load Address: 00000000
Entry Point:  00000000
Contents:
   Image 0: 660 Bytes = 0.64 KiB = 0.00 MiB
Unknown host QEMU_IFLA type: 54
Unknown host QEMU_IFLA type: 54
Command successful.
Nach dem einsetzen der SD-Karte in den Raspberry Pi und dem Versuch das System via SSH zu erreichen erhalte ich folgende Fehlermeldung:
ssh root@192.168.178.61
cat: can't open '/.cryptdev': No such file or directory
Command requires device and mapped name as arguments.
Connection to 192.168.178.61 closed.
Leider ist mir nicht klar, was diesen Fehler erzeugt :/
Ich hoffe nun darauf, dass mir hier jemand weiterhelfen kann 😉

Lg 🙂
Der encryptssh Hook startet beim Login ein cryptsetup_shell script:
# cat /usr/share/mkinitcpio-utils/utils/shells/cryptsetup_shell
#!/bin/sh
if [ -c "/dev/mapper/control" ]; then
    if eval /sbin/cryptsetup luksOpen \`cat /.cryptdev\` \`cat /.cryptname\` \`cat /.cryptargs\` ; then
        echo > /.done
        killall cryptsetup
    fi
else
    echo "encryption bootup not succeeded. please wait!"
fi
Da kommt das `cat /.cryptdev` her, was bei dir fehlschlägt.

Der encryptssh-Hook erzeugt `/.cryptdev` folgendermaßen:
# cat /lib/initcpio/hooks/encryptssh
[...]
        echo ${cryptname} > /.cryptname
        echo ${cryptargs} > /.cryptargs

        if resolved=$(resolve_device "${cryptdev}" ${rootdelay}); then

            echo ${resolved} > /.cryptdev
Die Datei fehlt bei dir, d.h. das resolve_device cryptdev ist fehlgeschlagen, d.h. was immer in deiner cryptdevice drin steht ist irgendwie... falsch oder wurde jedenfalls nicht gefunden. Der Hook an sich lief bis zu dem Punkt auf jeden Fall sonst hättest du die gleiche Fehlermeldung auch für cat /.cryptname und /.cryptargs gesehen.

Eine normale Initramfs-Shell könnte da weiterhelfen ( cat /proc/cmdline schauen was die Parameter sind, cat /proc/partitions schauen welche Geräte erkannt wurden, etc. )

Die ganze Lösung macht auf mich einen sehr gebastelten Eindruck...
Super - Der Hinweis war hilfreich und hat mir viel Zeit und Nerven gespart! 🙂
Mir ist aufgefallen, dass die SD-Karte auf dem Computer in welchem ich das Script ausführe als mmcblk1 bezeichnet wird. Wenn ich diese in den Raspberry einschiebe wird diese als mmcblk0 bezeichnet. Das war der Grund für den Fehler 😉
Ja, wegen sowas gibts UUIDs... :-)